If you have a Linux system running in Secure Boot and you install VirtualBox or VMware player you will see, with some frustration, that you won’t be able to run any VMs.

This post also applies if you are running your system with module signature verification enabled (CONFIG_MODULE_SIG) even if it’s not running in Secure Boot.

This is an old issue, and I’ve already written about it in another post almost 2 years ago, but at this point some degree of imagination is needed to succeed following that guide, so I have finally decided to update it. The reason why it took me so long to update the post is that I haven’t had VirtualBox or VMware player installed for quite a long time.

To install VirtualBox we’ll use the repository:

user@localhost:$ sudo dnf install gcc kernel-devel VirtualBox

Earlier picture shows what you’ll see from the GUI, but if you run it from the console you’ll see:

user@localhost:$ virtualboxWARNING: The vboxdrv kernel module is not loaded. Either there is no moduleavailable for the current kernel (4.5.7-202.fc23.x86_64) or it failed toload. Please recompile the kernel module and install it by

And then you’ll realize what the problem is, modprobe is complaining about required key not being available. Which actually means that the module is not signed and therefore cannot be loaded.

Now that you know what the problem is, the solution is quite simple; you just need to sign the module and make sure that the system recognizes the key as valid.

If you already have a X.509 key you can skip the key creation part and go directly to signing the module and enrolling the key. But if you don’t, you’ll need to generate a key to sign any third party module you want to install or any custom module you use.

In the above command, replace MOK with the name of the file you want for the key and Akrog with the Common Name you want to use. It’s usually the organization that signs it, but you can write whatever you like, although I recommend a significant name as it will be inserted into the system’s key ring.

VirtualBox uses multiple kernel modules and we need to sign them all. In my previous post I went into a little bit more detail, but I think it’s enough to say that we need to get the location of the modules using modinfo and then signing them using sign-file script like this:

Modinfo no longer displays module signed information, so we’ll have to trust that this has worked.

To enroll the public key in the MOK (Module owned Key) your UEFI partition must have MokManager.efi installed. You can check this running

user@localhost:$ sudo find /boot -name MokManager.efi

Now we have to manually add the public key to shim’s MOK list and we’ll be asked for a password that will be used during the UEFI boot to enroll the new key, so make sure you remember it at least for a minute ;-):

What we’ve done with this is request the MOK manager to insert a new key, but we haven’t inserted it yet, so we need to reboot for that and follow the enrolling process that is quite straight forward: Press a key to start the process if you are asked to, then select “Enroll MOK”, then “Continue”, and then “Yes”; and the key has been inserted. This is a persistent operation, so you’ll only need to do this once.

When you have finished booting you can easily check that the key is in the system key ring using the CN we used when creating the X.509 key:

For a more detailed description of the process of signing kernel modules you can check Red Hat’s documentation here.

If you read VirtualBox ticket regarding this issue you’ll see they wash their hands on the matter saying: “This is not really a VirtualBox bug. Oracle cannot sign kernel modules using the Fedora key”.
I for one believe that this is a bug in the installation, as they could easilly see if the installation is running on a BIOS or EFI/UEFI system (checking for /sys/firmware/efi directory) and whether Secure Boot is enabled or not (checking the efivar SecureBoot) and if it’s enable request a key to sign the driver or ask you if you want to create one and have it inserted it in the MOK automatically.

VMware signing should be the very similar, unfortunately I cannot check it because the installer won’t work when you have KVM running, as is my case, and even when I disabled KVM modules temporarily and was able to install it, the module compilation using vmware-modconfig wouldn’t work as it should. So I’ll assume we have the VMware player installed and the kernel modules compiled.

For those fighting the VMware installation, it’s worth mentioning that in the older post Pipio was having trouble with VMware and this post in the message board helped in the resolution of the problem.

The last time I run VMware without signed kernel modules the error that was displayed was this:

So for VMware the signing would be like for VirtualBox, but replacing vboxdrv with vmmon like this: